forwarding subdomain to internal box

[Wim Livens]

I'm trying to delegate a subdomain to a server that is not directly
accessible from the internet, yet be able to resolve names in the
subdomain from the internet.  I understood 'forwarding' would be the
solution but I can't get it to work completely:

I have on both ns1 and ns2 which are authoritive for company.com
(irrelevant parts ommited):

zone "company.com" {
        type master;
}

zone "sub.company.com" {
        type forward;
        forwarders { 10.0.0.10; }; //devbox
};

options {
        allow-recursion { any; };  //temporary, just to test
};

And the company.com zonefile:
              NS      ns1.company.com.
              NS      ns2.company.com.
sub        NS      devbox.company.com.
devbox.company.com A 10.0.0.10

devbox is an internal box running a specialized DNS server written in
Perl that answers:
   stuff.sub.company.com.    A      X.X.X.X
   sub.company.com.         NS        devbox.company.com.

ns1/ns2 are dual homed (internet/intranet). devbox is accessible from
ns1/ns2 but not from the internet.

Resolving from a client somewhere outside on the internet seems to work:

client:~$ dig stuff.sub.company.com a @ns1.company.com

;; ANSWER SECTION:
stuff.sub.company.com.  1M IN A  X.X.X.X

;; AUTHORITY SECTION:
sub.company.com.    1H IN NS        devbox.company.com.

;; ADDITIONAL SECTION:
devbox.company.com.      1H IN A         10.0.0.10

However:

client:~$ dig stuff.sub.company.com a
...times out

I tried from various known-to-work clients with various nameservers in
resolv.conf, none work except for ns1/ns2 itself.

Any ideas what I'm doing wrong ? How is it possible that a direct query
from anywhere in the world to ns1/ns2 works, but a caching/forwarder is
unable to resolve it ?

Thanks,

Wim.